Author Topic: Default Apache Security  (Read 752 times)

billy_gates

  • Member
  • **
  • Posts: 801
  • Kudos: 0
    • http://www.skinner.com/jeffberg
Default Apache Security
« on: 16 January 2003, 07:57 »
Are the default security settings in Apache and the overall system "safe" in redhat.  Also what is the best ownership user and permissions to set on the files and folders for the web server?

TheQuirk

  • VIP
  • Member
  • ***
  • Posts: 2,154
  • Kudos: 315
Default Apache Security
« Reply #1 on: 16 January 2003, 08:52 »
744 for static, 755 for "dynamic" pages.

Read this (it's mostly performance oriented, but it has a few security things in there. You should apply a lot of those stuff, though): http://php.weblogs.com/tuning_apache_unix

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Default Apache Security
« Reply #2 on: 16 January 2003, 08:55 »
It is safe if you have your system up to date with all the updates. And of course if you don't have separate firewall you'll want to either configure the Linux firewall and turn off all services that are not in use. The rest depends on your content. As far as directory permissions go you usually don't want the user that Apache runs under (usually a user named "apache" or "nobody") to be able to write to anything on your system. I should say "as little as possible" as there may be occasions when you'll need to set up an area that Apache can write to, just keep it separate. And a default install of Red Hat will have the permissions properly set on all system areas.

You should search for web developer documentation out on the net that specifically discusses security. Also you might want to browse through the Apache web site, they should have some security information. Basically the default install + updates is secure. When you start configuring it above default and adding your own content is where your security may drop depending on how much you know about security.
Someone please remove this account. Thanks...

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Default Apache Security
« Reply #3 on: 16 January 2003, 21:01 »
quote:
Originally posted by TheQuirk:
744 for static, 755 for "dynamic" pages.



Sorry but I have to disagree with the above. You do not want to set any files executable unless they need to be (CGI programs and directories are two things that need to be executable. Files with SSI using the Apache XBit Hack are another example. HTML and PHP scripts should not be set executable). And the above would definitely be wrong if the files are owned by the apache user, except for special cases.

[ January 16, 2003: Message edited by: void main ]

Someone please remove this account. Thanks...

TheQuirk

  • VIP
  • Member
  • ***
  • Posts: 2,154
  • Kudos: 315
Default Apache Security
« Reply #4 on: 16 January 2003, 21:57 »
Uhh, that's what I meant by dynamic.

Edit: nevermind, I get it. So shoot me.

[ January 16, 2003: Message edited by: TheQuirk ]


voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Default Apache Security
« Reply #5 on: 16 January 2003, 12:16 »
quote:
Originally posted by TheQuirk:
Edit: nevermind, I get it. So shoot me.



Yes but both of your chmod commands will make the files in question executable. The 7 makes them executable for owner (rwx). And PHP files are dynamic yet they should not be set executable. 644 would be ok for non-executable files as long as the owner of the file is not "apache". And 755 would be ok for executable files, again as long as they are not owned by user "apache".

I hope I didn't upset you. It's just that security is one thing that everyone should be open for correction (and please correct me if you see me putting out information that is incorrect, I will surely appreciate it).

[ January 16, 2003: Message edited by: void main ]

Someone please remove this account. Thanks...

billy_gates

  • Member
  • **
  • Posts: 801
  • Kudos: 0
    • http://www.skinner.com/jeffberg
Default Apache Security
« Reply #6 on: 17 January 2003, 03:44 »
thanks for your help, I'm really new at this apache/linux/webserver stuff.
I also won't have any CGI or anything dynamic besides flash and PHP.  Are flash file something I should leave unexecutable?

[ January 16, 2003: Message edited by: Billy Gates: Mac Commando ]


voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Default Apache Security
« Reply #7 on: 17 January 2003, 04:14 »
quote:
Originally posted by Billy Gates: Mac Commando:
thanks for your help, I'm really new at this apache/linux/webserver stuff.
I also won't have any CGI or anything dynamic besides flash and PHP.  Are flash file something I should leave unexecutable?

[ January 16, 2003: Message edited by: Billy Gates: Mac Commando ]



Correct, flash files should not be set executable. The only files that need to be set executable are files that are actually executed by the operating system running on the server (of course directories have to be set executable if you actually want to be able to change into them, and there are a slight few other exceptions to this). Flash does not fall into that category.
Someone please remove this account. Thanks...